April 2014

Special Announcement:

This week was historic for both the Navy and the Information Dominance Community, the details of which are captured in our two articles. On the 2nd of April, 2014, Admiral Rogers took command of USCYBERCOM and NSA/CSS and Vice Admiral Tighe took command of TENTH Fleet. This marks for the first time in US Naval History that a restricted line officer heads a major combatant command and a female, also a restricted line officer, commands a numbered fleet. During their individual ceremonies, both ADM Rogers and VADM Tighe commented on the trust and pride they have in the personnel of their respective new commands.

This week’s Cyber Currents are wide ranging, and provide continuing evidence of the complexity and vitality of the cyber field, and remind us that cyber issues are driving national discussion and policy change (or creation).

In Current 1 we examine Cybercrime and Cyber Vulnerability. The first article links a 15 million scheme to kingpins from the Ukraine, and the second highlights an all-too-common situation where white-hat hackers highlight vulnerabilities to companies, but get unsatisfactory responses.

In Current 2, we examine DoD policy as it parallels traditional warfighting doctrinal debates, a contentious article that seeks to minimize the impact of cyber on warfare, a less-than-satisfactory GAO review of federal security incident responses, and finally some insight into Congress’ concerns as the US moves to a multi-stakeholder internet governance. Our own Cyber Center professor, Martin Libicki, is featured here with his thought provoking article on the question of who are our cyber strategists, and how distinct should they be from traditional, kinetic, human, platform strategists.

Current 3 focuses on two cyber defense exercises – both had a Navy footprint, but the NSA-sponsored CDX, which kicks off this week, will have a team from USNA vying to be the best at cyber defense and response among other military and collegiate teams. We also mention the Naval Academy Foreign Affairs Conference (NAVFAC) with distinguished guests such as former POTUS and Director of the CIA. This year’s NAVFAC will focus on Human Security in the Information Age.

Finally, we have two articles that show some currents in Industry – the increased security of users’ data (in this case Yahoo! encryption in part as a result of Snowden leaks), and if Google can convince the Supreme Court that data on open Wi-Fi networks should not have a reasonable expectation of privacy (and is in fact open for anyone to capture).

Current 1 – Malware and Hacking

The related currents about Ukraine seem to never cease. Though the annexation of Crimea nor formation of the new Ukrainian government aren’t the focal points, Ukraine still gets a nod in this week’s first Malware and Hacking story:
https://www.securityweek.com/two-plead-guilty-15-million-cybercrime-operation

As empirical evidence is showing – the Ukraine is still a major current in cyber security news. This article is an example that highlights a bank fraud scheme that was discovered and stopped before it could come to full fruition. As part of the scheme, hackers first gained access to the bank accounts of customers for more than a dozen global financial institutions and businesses, including Citibank, E-Trade and JP Morgan Chase Bank. After obtaining unauthorized access to the accounts, the ring leaders stole money from them and put it on prepaid debit cards and in bank accounts they controlled. The two men caught were low-level pawns in the scheme, and plead guilty to a number of charges, but stated that the ring leaders were both Ukrainian, and they are still at large.

Poland based research firm publically announced numerous vulnerabilities and exploits of a cloud-based service from technology giant, Oracle. The key here is that the security research firm announced the findings, to include attack code, without knowledge if Oracle patched the holes. In fact, the CEO stated they did it this way because Oracle representatives failed to resolve these issues when alerted privately. One can parallel this theme with broader cyber security – will the Federal Government, Commercial sector, Department of Energy SCADA managers, etc. take a round turn on cyber security only after vulnerabilities are well known, or will they invest in this field before disaster strikes?

Secretary of Defense Chuck Hagel delivered a policy-infused speech at the retirement ceremony for General Keith Alexander, former Director of the NSA and USCYBERCOM. In the speech he highlighted many of the currents this newsletter has discussed. Secretary Hagel, after commenting that our reliance on cyberspace outpaces our cyber security, states, “Our military's first responsibility is to prevent and de-escalate conflict and that is DOD's overriding purpose in cyberspace as well…DOD will maintain an approach of restraint to any cyber operations outside the U.S. Government networks.” He continued to emphasize the importance of a highly-trained cadre of cyber operation professionals and that the US will have to adapt to the increasing threat that a networked world presents.

As a counterpoint to the undertow presented by Cyber Currents, Mr. Martin C. Libicki, a researcher from the RAND Corporation, postulates that Cyber War and Cyber Warfare do not warrant a grand strategy such as Sea Power with Alfred Mahan or Air Warfare and Billy Mitchell. Libicki points out that the effects of cyber operations are limited because of their very nature – once they are discovered, they are nullified within a day or two, and that they are incapable (as of yet) of killing anyone. His well thought-out paper is an attempt to downplay both the strategic and tactical impact of a cyber war. Mr. Libicki does make certain presumptions about our military’s ability to operate seamlessly with pre-1960 infrastructure, and the potential effects of Cyber. Operating or even switching to a fully analog Navy is nearly out of the question – digital equipment is now tied into every part of warfighting; from the speed of the screw on a Frigate to the targeting and telemetry of an ICBM in flight. Cyber effects can affect everything in between (an integrated ship propulsion system is vulnerable to a full shutdown, or worse, an uncontrollable energize – and are we certain that the integrated chips that control the electronic compass in the ICBMs are not compromised?). While Mr. Libicki brings to the table many good points about the conduct of cyber warfare, he is taking the same path Billy Mitchell’s and Alfred Mahan’s opponents took.

Among calls for increased oversight and talk about a national breach notification law, the Government Accountability Office (GAO) will release a report highlighting inconsistencies among federal entities in their notification, response, and handling of cyber incidents. Appearing April 2 before the Senate Homeland Security and Governmental Affairs Committee, GAO said a preliminary assessment of a study of the effectiveness of government responses shows that the 24 major agencies did not consistently demonstrate adequate response in about 65 percent of reported incidents. The number of information security incidents at federal agencies has grown dramatically in recent years, more than doubling from 2009 through 2013, according to a GAO analysis of U.S.-CERT statistics. Lawmakers are still debating with industry about the correct course for the country, but the Obama association is intent on enacting a federal breach notification law.
http://www.theregister.co.uk/2014/04/03/icann_chehade_russia_china_take_over_net/

In accordance with President Obama’s stance on a multi-stakeholder controlled internet, ICANN, the non-profit organization in charge of managing the domain name service, has been in discussions with member of the House of Representatives to assuage some fears when the US Department of Commerce relinquishes control of these functions in 2015. One member of congress expressed concern that Russia or China would take advantage of the DNS structure without the oversight of the US. The ICANN lead made clear that they do not intend to allow any one government control over ICANN’s decision making process even without the oversight of the Department of Commerce – a job that has been relatively symbolic since ICANN was formed in 1998.

The education/training current is realized in the academic world as much as the military: The Mid-Atlantic Collegiate Cyber Defense Competition just concluded. The competition pitted eight teams from mid-Atlantic colleges against one another, all defending against security professionals posing as malicious hackers. The theme was how to conduct emergency operations during a natural disaster (in this case, a blizzard) while under persistent cyber attack; A scenario that may be realized in the near future. The competition, now in its ninth year, was the brainchild of cyber security professionals and academics, but it enjoys considerable support from the U.S. government, the U.S. military and military contractors, who use it to observe and recruit.

The Maryland Defense Force, the Maryland Army National Guard and the U.S. Navy all were on hand to support the competition and conduct their own training in computer network defenses.

Finally, just a reminder to our extended cyber team: this is a huge week for cyber here at USNA. On the more technical side of cyber operations, our midshipmen will be participating in the CDX (Cyber Defense Exercise – an NSA-sponsored exercise that pits defenders against the elite NSA Red Team) competition. On the more policy side, USNA is hosting NAFAC, the theme of which is "Human Security in the Information Age". Big name speakers include former POTUS and former CIA director. And, two members of the Cyber Center staff, Larry Cavaiola and Mark Hagerott, will be chairing two of the three panels with major cyber thinkers from around the world. See the NAFAC schedule here: http://www.usna.edu/NAFAC/conference/NAFAC%20Schedule.pdf

Google has proposed a notion that unencrypted 802.11 signals, and data contained therein, should be considered exempt from the Wiretap Act along with police/fire band and AM/FM radio. This would reverse a decision that holds Google liable for sniffing the packets from unencrypted networks. If the courts sided with Google, this would mean that it would be entirely legal for anyone to listen in on any wireless network traffic – content independent - that isn’t password protected – to include public Wi-Fi at coffee shops, or unencrypted home networks.

http://www.theregister.co.uk/2014/04/03/yahoo_crypto_revamp/
Not all things are bad from the fallout of Snowden’s disclosure: Yahoo! announced their plan to plus up privacy for its users by utilizing modern encryption schemes, and focusing on encrypting as many links in its infrastructure as possible. It was brought to light that Yahoo! did not encrypt its traffic between its data centers, which made it vulnerable to indiscriminate sniffing. These new changes will help protect Yahoo! users from low-level data collection which will bring it further in line with the industry standard.